packblitz Posted August 17, 2012 Share Posted August 17, 2012 We process our credit cards through a POS ethernet terminal. When an order comes in it uses the 'Credit Card' payment class. The first 4 and last 4 card digits and the expiration date get stored on the order (unencrypted). The middle 8 digits get stored in the database in a different non-descript table than the 'orders' table. When an order is printed out, it pulls the first 4 and last 4 card digits and the expiration date from the database. It also pulls the middle 8 from the non-descript table and puts them together on the invoice paper print-out. As soon as the print out is done, the middle 8 digits are automatically erased from the non-descript table in the db. The paper print out is done over https. Here's my question, is this secure and if not what can I do to improve this system's security? Thanks! I'm going over the PCI compliance stuff and want to get it done correctly. Link to comment Share on other sites More sharing options...
Guest Posted August 17, 2012 Share Posted August 17, 2012 @@packblitz You CANNOT collect credit card information in that manner UNTIL YOU ARE ALREADY PCI DSS COMPLIANT. Also, the credit card module you are using will NOT pass PCI DSS compliance standards. Chris Link to comment Share on other sites More sharing options...
packblitz Posted August 21, 2012 Author Share Posted August 21, 2012 Specific to the printing of invoices, is that secure? Link to comment Share on other sites More sharing options...
MrPhil Posted August 23, 2012 Share Posted August 23, 2012 I hope you're not printing out the entire credit card number on the customer invoice! That is never done. It would most definitely not be PCI compliant. Link to comment Share on other sites More sharing options...
packblitz Posted August 23, 2012 Author Share Posted August 23, 2012 We don't send that invoice in the mail with the full card number. It's just so we can enter it in the POS terminal. Link to comment Share on other sites More sharing options...
MrPhil Posted August 24, 2012 Share Posted August 24, 2012 PCI compliance aside, most merchant accounts forbid the use of in-store POS terminals to process web (or any other non-in-person) card transactions. Having a physical card in hand is lower risk of fraud, and they can charge lower fees. If they catch you doing what it sounds like you're doing, you'll catch hell from them. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.